An electronic device and a method for detecting a malicious file are provided. The method includes the following steps: An executable file is searched, and an import table is extracted from the executable file. The import table includes at least a name of a first DDL and a name of a second DDL. A distance between the first DLL and the second DLL is calculated. Whether the distance exceeds a threshold is determined. If the distance exceeds the threshold, then whether a duplicate content of the import table exists in the executable file is checked. The executable file is regarded as a malicious file if the duplicate content of the import table exists in the executable file.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for detecting a malicious file, comprising: searching an executable file and extracting an import table from the executable file, wherein the import table at least comprises a name of a first dynamic-link library (DLL) and a name of a second DLL; wherein the first DLL comprises a first function which is the last function of the first DLL, and the second DLL comprises a second function which is the first function of the second DLL; wherein the first DLL corresponds to a first address range that ends with an address of the first function, and the second DLL corresponds to a second address range that starts with an address of the second function; calculating a distance between the address of the first function and the address of the second function; determining whether the distance exceeds a threshold; and regarding the executable file as a normal file if the distance does not exceed the threshold.
2. The method according to claim 1 , wherein if the distance exceeds the threshold, then whether a duplicate content of the import table exists in the executable file is checked, and the executable file is regarded as a malicious file if the duplicate content of the import table exists in the executable file.
3. The method according to claim 2 , wherein if the duplicate content of the import table does not exist in the executable file, then the executable file is regarded as the normal file.
4. The method according to claim 1 , wherein the import table further comprises a plurality of names of a plurality of first functions of the first DLL, a plurality of addresses of the first functions, a plurality of names of a plurality of second functions of the second DLL and a plurality of addresses of the second functions, and the distance is a difference obtained by subtracting the address of the last of the first functions from the address of the first of the second functions.
5. The method according to claim 4 , wherein the addresses of the first functions and the addresses of the second functions are relative virtual addresses (RVA).
6. The method according to claim 1 , wherein the threshold relates to an average value and a standard deviation of a plurality of distances among a plurality of normal DLLs.
7. The method according to claim 6 , wherein the threshold is the average value plus two times of the standard deviation.
8. The method according to claim 1 , wherein the threshold is greater than 300 bytes.
9. A method for detecting a malicious file, comprising: searching an executable file and extracting an import table from the executable file, wherein the import table at least comprises a name of a first DLL and a name of a second DLL; wherein the first DLL comprises a first function which is the last function of the first DLL, and the second DLL comprises a second function which is the first function of the second DLL; wherein the first DLL corresponds to a first address range that ends with an address of the first function, and the second DLL corresponds to a second address range that starts with an address of the second function; calculating a distance between the address of the first function and the address of the second function; checking whether a duplicate content of the import table exists in the executable file; and regarding the executable file as a malicious file if both the duplicate content of the import table exists in the executable file and the distance exceeds a threshold.
10. An electronic device, comprising: a storage unit for storing an executable file; and a processor for searching the executable file and extracting an import table from the executable file, wherein the import table at least comprises a name of a first DLL and a name of a second DLL; wherein the first DLL comprises a first function which is the last function of the first DLL, and the second DLL comprises a second function which is the first function of the second DLL; wherein the first DLL corresponds to a first address range that ends with an address of the first function, and the second DLL corresponds to a second address range that starts with an address of the second function; wherein the processor calculates a distance between the address of the first function and the address of the second function and determines whether the distance exceeds a threshold; and the processor regards the executable file as a normal file if the distance does not exceed the threshold.
11. The electronic device according to claim 10 , wherein if the distance exceeds the threshold, then the processor checks whether a duplicate content of the import table exists in the executable file, and the processor regards the executable file as a malicious file if the duplicate content of the import table exists in the executable file.
12. The electronic device according to claim 11 , wherein if the duplicate content of the import table does not exist in the executable file, then the processor regards the executable file as the normal file.
13. The electronic device according to claim 10 , wherein the import table further comprises a plurality of names of a plurality of first functions of the first DLL, a plurality of addresses of the first functions, a plurality of names of a plurality of second functions of the second DLL and a plurality of addresses of the second functions, and the distance is a difference obtained by subtracting the address of the last of the first functions from the address of the first of the second functions.
14. The electronic device according to claim 13 , wherein the addresses of the first functions and the addresses of the second functions are relative virtual addresses (RVA).
15. The electronic device according to claim 10 , wherein the threshold relates to an average value and a standard deviation of a plurality of distances among a plurality of normal DLLs.
16. The electronic device according to claim 15 , wherein the threshold is the average value plus two times of the standard deviation.
17. The electronic device according to claim 10 , wherein the threshold is greater than 300 bytes.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
August 15, 2017
March 3, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.